Open Source Done Right: Interview With Yubico’s Fredrik Thulin

Last month we had the chance to review Yubico’s YubiKey, a low cost, high accessibility authentication token that is aiming to change the way individuals connect with their online services. We came away very impressed, and with the distinct impression that Yubico was really on to something with not only their product, but their business model and goals: Yubico offers their services for free and released their server and client APIs as free software.

Fredrik

We got in contact with Yubico hoping to learn a little bit more about what makes this highly successful open source business tick. We were directed to Yubico’s Open Source Manager, Fredrik Thulin, who was able to answer some of our questions and give us valuable insight into a company doing open source the right way.

Open Source At Yubico

The Powerbase: Fredrik, thanks for taking the time to answer a few questions. To start, can you introduce yourself to our readers?

Fredrik: Thanks for asking. I’m from Stockholm, Sweden. I’ve been interested in technology all my life, and have this far spent my whole career working with software development as well as building networks and services, first with an ISP and then at the IT department of one of Sweden’s largest universities. When I was around 14-15 years old, I used to write freeware tools and upload to BBS systems, and when Internet came to town I started using Linux. That’s when I learned about open source, and around 2000 I nervously started contributing patches to some projects. 12 years later, I’m the open source manager at Yubico and I’m not nervous any more.

The Powerbase: We were very impressed to see that Yubico even has a Open Source Manager. What exactly are the day to day responsibilities of your position?

Fredrik: I have the over all responsibility to make Yubico a well regarded member of the open source community. We don’t just want to dump some code on the Internet and say we are open source friendly, we want to maintain those projects properly, collaborate with others interested in new features, continuously improve documentation and code quality and make new releases with contributed improvements in a timely fashion.

I write code, review and (most of the time) merge patches and generally provide an interface between open source developers and Yubico. My job also includes making up strategies around open source. What are the core software components that Yubico should reasonably develop and maintain, and what should we leave for others? What other open source companies should we try to partner with? etc.

The Powerbase: It looks like it would be safe to say that open source is a big part of the Yubico philosophy. How would you say Yubico’s commitment to open source has influenced the company and it’s line of products?

Fredrik: The decision to go open source dates back to several years prior to me joining Yubico, but I think it was decisive in making Yubico the most open, transparent and (hopefully) friendly authentication token manufacturer there is today.

I remember seeing an old internal e-mail thread talking about the fact that people would soon reverse engineer the YubiKey configuration protocol, and at the end of the thread the problem was sort of nullified since the decision had been made to open source the tools and publish the complete interface. I’m happy they reached that conclusion – I think companies should allow customers to fully use products they’ve already paid for.

I also think it has led to us working for Yubico becoming happier. Everyone wants to be appreciated, and offering our customers more and more ways of using their YubiKeys for free (even long time after the purchase) is a good way to receive gratitude. We have very many happy customers, and do our best to keep it that way.

The Powerbase: Do you feel Yubico would be as successful if they hadn’t gone with an open source business model?

Fredrik: I’ll try to not sound too biased and answer that with “it depends”. Perhaps Yubico would have been as successful as we are today but no way as successful as we are aiming to be.

At the risk of being too idealistic (when asking my employer what I could improve, I was recently told I’m sometimes a bit too idealistic ) I’ll say that what we want to do is to really change the world. We want to increase internet security, for everyone. We want to sell billions (10^9) of tokens, and we want those tokens to be used.

Smart card tokens are the only ones reaching those numbers, with all the other kind of authentication tokens way, way behind. The biggest
problems with smart cards are that they require drivers – vendor specific drivers, and the complexity and fragile nature of course. No closed source token vendor will come anywhere near that number of tokens, although that does not equate to them not being successful if success is measured as shareholder dividend for example.

The Powerbase: With the open source APIs, self-support on the Yubico forums, and free access to the YubiKey One-Time Password (OTP) validation service, how exactly does Yubico make it’s money?

Fredrik: That’s really quite easy – we sell hardware.

I wouldn’t be surprised if our closed source competitors make their money primarily by selling software, licenses and support rather than hardware. I’m quite sure we could get more revenue per employee if we were also selling services, but you can’t scale to billions of tokens if you are really trying to sell services.

Needless to say, but to actually be able to sell that many tokens they have to be good – really good. They also must be usable by as many humans as possible. On a global scale, that includes making them usable by those partially sighted, illiterate, and not to forget, children and youths. Batteries also doesn’t work well in all conditions, and also not if you only buy one token in a lifetime. Ok, once in a lifetime might be a bit long even for a YubiKey, but say decade then.

Tom is a Network Engineer with focus on GNU/Linux and open source software. He is a frequent submitter to "2600", and maintains a personal site of his projects and areas of research at: www.digifail.com .